Sunday, October 18, 2009

OWASP Top 10 - #1 - Cross Site Scripting (XSS)

In another post, I said I would talk about the OWASP Top 10, which is a list of the 10 most dangerous current Web application security flaws. This list, interestingly, is built into both the PCI DSS standard as well as Shared Assessments.

#1 on the OWASP Top 10 is Cross Site Scripting (XSS), which, per OWASP is:

whenever an application takes user supplied data and sends it to a webbrowser without first validating or encoding that content. XSS allowsattackers to execute script in the victim's browser which can hijackuser sessions, deface web sites, possibly introduce worms, etc.

Friday, October 16, 2009

What do you think of when you think of security? Still thinking, right? Exactly. No surprise, then, that functionality and utility have taken the front seat when it comes to application development. Today, however, with the rampant spread of cross site scripting and sql injection attacks, not to mention the already inescapable viruses and malware that live and breathe on anything running Windows, things are starting to change.

One of the most important facets of security is your password - the key to the castle. Newsweek just came out with a great article on building a better password. But, for my money - and that's what we are really trying to protect a lot of the time when we are online - there is no better solution than 1Password. For those of you still in the unfortunate position of having to use a PC (and that is how I look at it), you can turn to a good solution like RoboForm. But, for those in the know, we use a RoboForm for the Mac, if you will.

I have written about 1Password before, so will let you read my other posts to find out about it. My point in this post is that if you want to be secure online you need to have good (at a minimum) password management. By this, I am talking about a password that is not easily going to be hacked by a brute-force attack - something not easily guessed. With 1Password, you get all of this. And, further, 1Password automatically fills all of your forms for you.

I will be writing more about security soon, but you can find out more about how to secure your Mac now with 1Passwordhere.

Friday, September 18, 2009

Locking Down Your Switch.....Cont'd

I have been talking here and here of the importance of locking down your switch (indeed your network in general) and why this is so important. It seems to me that the most basic controls are often the most overlooked. It is not surprising that most best practices call for basic network physical security and, on the same note, it is not surprising that basic security is often overlooked.

Looking through PCI DSS, for example, you will see a requirement both for WAFs (Web Application Firewalls), which operate at Layer 7, and for restricting physcial access at OSI Layer 1. Indeed, it doesn't make sense to put 3 deadbolts on the front door if the back door or a window is still open.

Shared Assessments is a member-driven industry standard used to "inject standardization, consistency, speed, efficiency and cost savings into the service provider assessment process." This standard also requires that physical ports be locked down (disabled) as referenced in:

Not too surprisingly, merchants are looking for alternative payment methods (i.e. PayPal) in order to reduce the number of card transactions.

MasterCard, with their second big security change, has decided to disallow merchants' use of RKI (remote key injection) services to install new encryption keys on POS systems. This new rule by MasterCard jeopardizes the on-going Triple DES compliance efforts for all POS terminals: merchants have until July 2010 to upgrade their POS terminals from DES to Triple DES. If this upgrade now has to be done manually, as opposed to automatically with RKI, it could make meeting the July 2010 deadline quite difficult for businesses with a large number of POS terminals.

More on Locking Down Your Switch.....

In my last post I talked about the importance of locking down (disabling) physical access on your network switches to only those with authorized access. I discussed how, along with being a best practice, it is also a requirement of such standards as PCI DSS and ISACA.

Let's add another standard to that list today and that's NERC. Indeed, NERC CIP 007-1: R2 states that "The Responsible Entity shall establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled."

Saturday, September 12, 2009

Lock Down Your Switch, or Else!

Locking down your switch is one of the most important steps to do (for the network engineer) or verify (for the IT auditor). Indeed, restricting physical access to your network to only those authorized is paramount. Further, it is a requirement of PCI DSS (9.1.2. Restrict physical access topublicly accessible network jacks) and ISACA (P8 Security Assessment—Penetration Testing and Vulnerability Analysis - 6.1 Rogue Access Jacks)

Looking at this from both an operational and assurance mindset, it is equally important to ensure physical access control. But, as I am sure you are aware, importance is relative. How often is PCI DSS 9.1.2 given a checkmark for compliance on either your Self-Assessment Questionnaire or on-site assessment?

From an audit, and even an engineering perspective, it is really a best practice to lock down your switches and disable any ports not in use, especially those going to areas where people may have easy, unattended access to the network.

Of course, for those in site support who may have to set up new user connections, it is quite cumbersome if the ports they need to plug their patch cables into are disabled. Indeed, instead of patching their cable and being on their merry way they now need to create that dreaded change request!

When you are on the operational side - and are feeling the pain - it is hard to see the merit of going through these processes. But, when you realize that there is a reason why the change request asks for business impact and, in many cases, will need business approval you start to see a pattern. The work we do is not in a vacuum - it supports the business. To that end, we need to be cognizant of what we are doing and what the risks are to the business.

So, the next time you need to patch in a new user and the port is disabled. Don't get mad (and, please, don't get even!) - just be glad that someone out there is doing what he/she can to keep your business secure. Now it is your turn.

Friday, September 11, 2009

SAS 70 vs. ISAE 3402

This article from PWC touches on some of the key differences. One of note is that service organization management are now required to provide a formal assertion acknowledging responsibility for their controls.

As the breaches continue, let's recall Visa's statement after Heartland:

PCI DSS remains an effective security tool when implemented properly - and remains the best defense against the loss of sensitive data. No compromised entity to date has been found to be in compliance with PCI DSS at the time of the breach. [emphasis added]

As one who has worked in change control, I can appreciate the fact that quite a number of PCI requirements pertain to this area.

Perhaps the most important command you can use on a router is "wri mem" - to save any changes you have made. It is nice to see the importance of this concept (saving your work) memorialized in PCI DSS:

Unless otherwise expressly stated, all original material of whatever nature included in the Tech on Tech blog and any related pages, including the blog's archives, is licensed under a Creative Commons License